AFL – American Fuzzy Lop

A short introduction by Tobias Ospelt, March, 9th 2015

Silicon Valley Fuzzers, Fuzzing meetup, Santa Clara, CA

Me

•  Penetra'on  Tester  (usually  CH,  DE,  UK,  once  in  the  USA)  

•  Android  stuff,  mona.py  unicode  alignment,  'ncd  metasploit  module,  started  fuzzing  – floyd.ch  /  @floyd_ch  

•  AFL  user  (not  an  expert  on  all  the  internals)  

Company

•  6  IT  security  experts  •  Keykeriki,  Backtrack,  Degate,  remote-­‐exploit.org,  Die  Datenkrake,  Analysis  of  the  German  state  trojan  

•  We  do  all  areas  of  technical  HW  &  SW  security  analysis  (Penetra'on  Tes'ng,  Crypto,  Web,  medical  devices,  etc.)  

AFL – American Fuzzy Lop

•  Fuzzer  developed  by  Michal  Zalewski  (lcamtuf),  Project  Zero,  Google  – He's  on  holiday  today  L  

•  h[p://lcamtuf.coredump.cx/afl/  •  "Under  certain  condi'ons  you  are  crazy  if  you  don't  use  AFL  for  your  project"  -­‐  me  

Why use AFL?

It finds bugs

IJG  jpeg  1  libjpeg-­‐turbo  1  2  libpng  1  lib'ff  1  2  3  4  5  mozjpeg  1  libbpg  (1)  Mozilla  Firefox  1  2  3  4  5  Google  Chrome  1  Internet  Explorer  1  2  (3)  (4)  LibreOffice  1  2  3  4  poppler  1  freetype  1  2  GnuTLS  1  GnuPG  1  2  (3)  OpenSSH  1  2  3  bash  (post-­‐Shellshock)  1  2  tcpdump  1  2  3  4  5  6  7  Adobe  Flash  /  PCRE  1  2  JavaScriptCore  1  2  3  4  pdfium  1  ffmpeg  1  2  3  4  libmatroska  1  libarchive  1  2  3  4  5  6  ...  wireshark  1  ImageMagick  1  2  3  4  5  6  7  8  ...  lcms  (1)  PHP  1  2  lame  1  FLAC  audio  library  1  2  libsndfile  1  2  3  less  /  lesspipe  1  2  3  strings  (+  related  tools)  1  2  3  4  5  6  7  file  1  2  dpkg  1  rcs  1  systemd-­‐resolved  1  2  sqlite  1  2  3  libyaml  1  Info-­‐Zip  unzip  1  2  OpenBSD  pfctl  1  NetBSD  bpf  1  man  &  mandoc  1  2  3  4  5  ...  IDA  Pro  clamav  1  2  libxml2  1  glibc  1  clang  /  llvm  1  2  3  4  5  6  nasm  1  2  ctags  1  mu[  1  procmail  1  fontconfig  1  pdksh  1  2  Qt  1  wavpack  1  redis  /  lua-­‐cmsgpack  1  taglib  1  2  3  privoxy  1  perl  1  2  3  4  5  6  libxmp  radare2  1  2  fwknop  metacam  1  exifprobe  1  capnproto  1  

It's spooky

•  Michal  gave  djpeg  (IJG  jpeg  library)  to  AFL  •  Plus  a  non-­‐jpeg  file  as  an  input  – $  echo  'hello'  >in_dir/hello  

•  AFL  started  to  produce  valid  jpeg  files  aper  a  day  or  two  

More reasons

•  It's  dead  simple  •  No  configura'on  of  AFL  necessary,  robust  •  It's  cuqng  edge  •  It's  fast  •  Produces  very  very  good  input  files  (corpus)  that  can  be  used  in  other  fuzzers  

•  Many  targets  that  were  never  touched  by  AFL  (and  it  will  crush  them)  

When I read through lcatumf’s post on ‘less’ and ‘strings’

Source:  h[p://securityreac'ons.tumblr.com/page/10  

And because you will go

You won't believe what you are reading

•  Source:  h[p://lcamtuf.coredump.cx/afl/demo/  

•  afl-­‐generated,  minimized  image  test  sets  (par'al)  [...]  

•  JPEG  XR  jxrlib  1.1  JxrDecApp¹  IE  à  Ditched  ²  •  ²  Due  to  the  sheer  number  of  exploitable  bugs  that  allow  the  fuzzer  to  jump  to  arbitrary  addresses.  

When to use AFL

The usual use case

•  You  have  the  source  code  and  you  compile  with  gcc  or  clang  

•  Your  are  on  32bit  or  64bit  on  Linux/OSX/BSD  •  The  to-­‐be-­‐fuzzed  code  (e.g.  parser)  reads  it's  input  from  stdin  or  from  a  file  

•  The  input  file  is  usually  only  max.  10kb  •  This  covers  *a  lot*  of  Linux  libraries  

What if something does not apply?

•  No  source  code?  –  Try  the  experimental  QEMU  instrumenta'on  

•  Not  on  32/64  bit?  –  There  is  an  experimental  ARM  version  

•  Not  reading  from  stdin  or  file?  – Maybe  your  project  has  a  u'lity  command  line  tool  that  does  read  from  file  

– Or  you  write  a  wrapper  to  do  it  –  Same  if  you  want  to  test  (parts  of)  network  protocol  parsers  

How to use AFL

Steps of fuzzing

1.  Compile/install  AFL  (once)  2.  Compile  target  project  with  AFL  – afl-­‐gcc  /  afl-­‐g++  /  afl-­‐clang  /  afl-­‐clang++  /  (afl-­‐as)  

3.  Chose  target  binary  to  fuzz  in  project  – Chose  its  command  line  op'ons  to  make  it  run  fast  

4.  Chose  valid  input  files  that  cover  a  wide  variety  of  possible  input  files  – afl-­‐cmin  /  (afl-­‐showmap)  

Steps of fuzzing

5.  Fuzzing  –  afl-­‐fuzz  

6.  Check  how  your  fuzzer  is  doing  –  command  line  UI  /  �afl-­‐whatsup  /  afl-­‐plot  /  afl-­‐gotcpu  

7.  Analyze  crashes  –  afl-­‐tmin  /  �triage_crashes.sh  /  peruvian  were  rabbit  – ASAN  /  valgrind  /  exploitable  gdb  plugin  /  …  

8.  Have  a  lot  more  work  than  before  –  CVE  assignment  /  responsible  disclosure  /  …    

Installing AFL (step 1)

#!/bin/bash #Download & compile new AFL version: wget http://lcamtuf.coredump.cx/afl.tgz tar xfz afl.tgz rm afl.tgz cd `find . -type d -iname "afl-*"|sort|head -1` make echo "Provide sudo password for sudo make install" sudo make install

AFL binaries

/opt/afl-1.56b$ ./afl- afl-as afl-fuzz afl-plot afl-clang afl-g++ afl-showmap afl-clang++ afl-gcc afl-tmin afl-cmin afl-gotcpu afl-whatsup

/opt/afl-1.56b$ ./afl-gcc [...] This is a helper application for afl-fuzz. It serves as a drop-in replacementfor gcc or clang, letting you recompile third-party code with the required runtime instrumentation. [...]

Instrumenting a project (step 2) – example: libtiff from CVS repository

/opt/libtiff-cvs-afl$ export CC=afl-gcc /opt/libtiff-cvs-afl$ export CXX=afl-g++ /opt/libtiff-cvs-afl$ ./configure --disable-shared /opt/libtiff-cvs-afl$ make clean /opt/libtiff-cvs-afl$ make

Choosing the binary to fuzz (step 3) – they are all waiting for it

/opt/libtiff-cvs-afl$ ./tools/ bmp2tiff fax2tiff ppm2tiff raw2tiff thumbnail tiff2pdf tiff2rgba tiffcp tiffdither tiffinfo tiffset fax2ps gif2tiff pal2rgb ras2tiff rgb2ycbcr tiff2bw tiff2ps tiffcmp tiffcrop tiffdump tiffmedian tiffsplit

/opt/libtiff-cvs-afl$ ./tools/bmp2tiff LIBTIFF, Version 4.0.3 Copyright (c) 1988-1996 Sam Leffler [...] usage: bmp2tiff [options] input.bmp [input2.bmp ...] output.tif

Chose initial input files (step 4)

/opt/libtiff-cvs-afl$ mkdir input_all /opt/libtiff-cvs-afl$ scp host:/bmps/ input_all/ /opt/libtiff-cvs-afl$ ls -1 input_all |wc –l 886

Chose initial input files (step 4) /opt/libtiff-cvs-afl$ afl-cmin -i input_all -o input -- /opt/libtiff-cvs-afl/tools/bmp2tiff @@ /dev/null

corpus minimization tool for afl-fuzz by <lcamtuf@google.com> [*] Testing the target binary... [+] OK, 191 tuples recorded. [*] Obtaining traces for input files in 'input_all'... Processing file 886/886... [*] Sorting trace sets (this may take a while)... [+] Found 4612 unique tuples across 886 files. [*] Finding best candidates for each tuple... Processing file 886/886... [*] Sorting candidate list (be patient)... [*] Processing candidates and writing output files... Processing tuple 4612/4612... [+] Narrowed down to 162 files, saved in 'input'.

Chose initial input files (step 4)

/opt/libtiff-cvs-afl$ ls -1 input |wc –l 162

Fuzzing (step 5)

/opt/libtiff-cvs-afl$ screen –S fuzzing /opt/libtiff-cvs-afl$ afl-fuzz -i input –o output -- /opt/libtiff-cvs-afl/tools/bmp2tiff @@ /dev/null

How is our fuzzer doing? (step 6)

How is our fuzzer doing? (step 6)

How is our fuzzer doing? (step 6)

How is our fuzzer doing? (step 6)

/opt/libtiff-cvs-afl$ afl-gotcpu afl-gotcpu 1.56b (Mar 9 2015 02:50:32) by <lcamtuf@google.com> [*] Measuring preemption rate (this will take 5.00 sec)... [+] Busy loop hit 79 times, real = 5001 ms, slice = 2448 ms. >>> FAIL: Your CPU is overbooked (204%). <<<

How is our fuzzer doing? (step 6)

•  afl-­‐plot  

How is our fuzzer doing? (step 6)

•  afl-­‐plot  

Other examples

Crash analysis (step 7) minimizing crash input

/opt/libtiff-cvs-afl$ afl-tmin -i output/crashes/id\:000000\,sig\:11\,src\:000003\,op\:int16\,pos\:21\,val\:+1 -o minimized-crash /opt/libtiff-cvs-afl/tools/bmp2tiff @@ /dev/null afl-tmin 1.56b (Mar 9 2015 02:50:31) by <lcamtuf@google.com> [+] Read 36 bytes from 'output/crashes/id:000000,sig:11,src:000003,op:int16,pos:21,val:+1'. [*] Performing dry run (mem limit = 25 MB, timeout = 1000 ms)... [+] Program exits with a signal, minimizing in crash mode. [*] --- Pass #1 --- [*] Stage #1: Removing blocks of data... Block length = 2, remaining size = 36 Block length = 1, remaining size = 34 [...]

/opt/libtiff-cvs-afl$ ls -als output/crashes/id\:000000\,sig\:11\,src\:000003\,op\:int16\,pos\:21\,val\:+14 -rw------- 1 user user 36 Mär 9 04:17 output/crashes/id:000000,sig:11,src:000003,op:int16,pos:21,val:+1 /opt/libtiff-cvs-afl$ ls -als minimized-crash 4 -rw------- 1 user user 34 Mär 9 05:51 minimized-crash

Crash analysis (step 7) minimizing malicious input

uncompr_size = width * length; ... uncomprbuf = (unsigned char *)_TIFFmalloc(uncompr_size);

Crash analysis (step 7) example of manual analysis

(gdb) p width $70 = 65536 (gdb) p length $71 = 65544 (gdb) p uncompr_size $72 = 524288

524289 is (65536 * 65544) % MAX_INT

Crash analysis (step 7) peruvian were-rabbit

/opt/libtiff-cvs-afl$ afl-fuzz -i output/crashes/ -o peruvian_crashes -C /opt/libtiff-cvs-afl/tools/bmp2tiff @@ /dev/null

Crash analysis (step 7) peruvian were-rabbit

•  Using  crashes  as  inputs,  mutate  them  to  find  different  crashes  (that  AFL  considers  "unique")  

Crash analysis (step 7) peruvian were-rabbit

You want more?

•  Try  it  yourself  •  Subscribe  to  afl-­‐users  •  Convince  Michal  to  come  here  

int 3 •  Twi[er:  @floyd_ch  •  h[p://floyd.ch      •  tobias@modzero.ch  •  Twi[er:  @mod0  •  h[p://www.modzero.ch